[Mahara-contributors] [Bug 1363873] Re: Session Management Issue- Session is not invalidating after password change

Tue, 25 Nov 2014 15:12:57 -0800 

** Changed in: mahara/1.9
       Status: Fix Committed => Fix Released

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1363873

Title:
  Session Management Issue- Session is not invalidating after password
  change

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Released
Status in Mahara 1.8 series:
  Fix Released
Status in Mahara 1.9 series:
  Fix Released
Status in Mahara 15.04 series:
  Fix Committed

Bug description:
  Hi Security Team,

  I have discovered the session management issue on the domain
  https://mahara.org/

  Description of the issue-

  The application does not invalidate the previous session once the
  password is changed by the legitimate user.

  How to reproduce?-

  1. Login in the application using https://mahara.org/ and login into the 
application.
  2. Lets assume application user's account is compromised so he wants to 
change his password, he will navigate to forgot password page and will change 
his password.
  3. Application user is able to change his password but it was observed that 
still the previous session was not invalidated and i was actually able to 
browse the application from both the sessions.

  Impact- If the application user's account is compromised, he will simply 
change his password but if the previous session is not invalidated there is no 
use of changing the password. 
  Please let me know if you need video PoC for this.

  Remediation- Invalidate the previous session once the password has
  been changed and enforce the application user to relogin in the
  application.

  Thanks and Regards,
  Abhishek Dashora

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1363873/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to